Skip to content
Three Levers symbol Three Levers ← threelevers.com

Salesforce setup

Use this checklist to deploy FlowIframeEmbed in a Salesforce org and expose a flow on a public Salesforce Site.

Prerequisites

Section titled “Prerequisites”
  • FlowIframeEmbed package is installed (or equivalent metadata deployed).
  • You know the Flow API Developer Name to run (for example, Check_In_Dispatch).
  • You have an external page ready to host the iframe/widget.

1) Prepare the flow

Section titled “1) Prepare the flow”
  1. Create or open the target Screen Flow.
  2. Activate the flow.
  3. If you pass URL inputs, create Text input variables with API names matching planned params (for example recordId, source).
  4. Test in Flow Builder to confirm it reaches FINISHED.

2) Expose the Visualforce page on a Site

Section titled “2) Expose the Visualforce page on a Site”
  1. Go to Setup -> User Interface -> Sites and Domains -> Sites.
  2. Create a site (or reuse an existing public site).
  3. Add the Visualforce page FlowIframeEmbed to the site.
  4. Publish/activate the site.

Your iframe base URL should look like:

https://your-domain.force.com/site-prefix/FlowIframeEmbed

3) Grant guest user access

Section titled “3) Grant guest user access”

From the site’s Guest User Profile:

  1. Enabled Visualforce Page Access: add FlowIframeEmbed.
  2. Enabled Apex Class Access (if flow uses Apex actions): add required classes.
  3. Flow access: ensure guest can run the flow and referenced resources.

If flow fails only for guest users, this profile is the first place to check.

4) Configure framing and browser security

Section titled “4) Configure framing and browser security”
  1. Configure Salesforce clickjack/CSP settings for your external domain.
  2. If using JavaScript widget, set allowedOrigin to Salesforce site origin:
window.tlFlowEmbed = {
  embedUrl: 'https://your-domain.force.com/site-prefix/FlowIframeEmbed',
  flow: 'Check_In_Dispatch',
  allowedOrigin: 'https://your-domain.force.com'
};

This restricts resize messages to your Salesforce origin.

5) Build the iframe URL correctly

Section titled “5) Build the iframe URL correctly”

Required:

  • flow=<Flow_Developer_Name>

Optional:

  • endUrl=<https URL> redirects parent window on FINISHED
  • inputVars=<comma separated allowlist>
  • extra params that match names in inputVars

Example:

https://your-domain.force.com/site-prefix/FlowIframeEmbed?flow=Check_In_Dispatch&endUrl=https://clientsite.com/thanks&inputVars=recordId,source&recordId=001xx0000001234&source=web

6) External page embed

Section titled “6) External page embed”

Use either:

  • JavaScript widget for URL building + dynamic height.
  • Manual iframe plus postMessage listener for { frameHeight: number }.

7) Validation checklist before go-live

Section titled “7) Validation checklist before go-live”
  • Site URL loads publicly without Salesforce login.
  • Flow renders in iframe on client page.
  • Dynamic resize works (no inner scrollbar cutoff).
  • Flow inputs receive expected values.
  • endUrl redirect works on completion.
  • Guest user can complete intended flow paths.
  • Fault path tested and shows safe user message.

Common issues

Section titled “Common issues”
  • Blank iframe / refuses to display: framing/clickjack/CSP missing for host domain.
  • Flow does not start: wrong flow value (must be API Developer Name).
  • Inputs missing: inputVars omitted or names don’t match flow variable API names exactly.
  • No redirect: flow never reaches FINISHED or endUrl missing/invalid.
  • Works for admin, fails for public users: missing guest profile access.
Section titled “Related docs”